Re: [Secdispatch] Numeric IDs: Update to RFC3552
Fernando Gont <fgont@si6networks.com> Thu, 18 April 2019 23:40 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id CAF661201B9;
Thu, 18 Apr 2019 16:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id BVg_e1T0Ot-k; Thu, 18 Apr 2019 16:40:19 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 3F6811201B7;
Thu, 18 Apr 2019 16:40:19 -0700 (PDT)
Received: from [192.168.3.138] (unknown [186.138.212.56])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by fgont.go6lab.si (Postfix) with ESMTPSA id 5A22E8493B;
Fri, 19 Apr 2019 01:40:10 +0200 (CEST)
To: Eric Rescorla <ekr@rtfm.com>
Cc: =?UTF-8?Q?Iv=c3=a1n_Arce_=28Quarkslab=29?= <iarce@quarkslab.com>,
IETF SecDispatch <secdispatch@ietf.org>, pearg@irtf.org,
secdispatch-chairs@ietf.org
References: <4ac730a6-73ca-74cd-e848-4a6645bd0403@si6networks.com>
<CABcZeBOy6MB0OG2cs=EE6hWB4pXBuNzW=LcQ+1dKmJzHBOUR-g@mail.gmail.com>
<bc733114-6f97-532b-02d5-2730e834340a@si6networks.com>
<CABcZeBPr2rfVkib684Gz4uCPWtFc4trwusJxNRJ6EPPpA=d0QA@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Openpgp: preference=signencrypt
Autocrypt: addr=fgont@si6networks.com; prefer-encrypt=mutual; keydata=
mQINBE5so2gBEACzBQBLUy8nzgAzSZn6ViXT6TmZBFNYNqTpPRvTVtUqF6+tkI+IEd9N2E8p
pXUXCd0W4dkxz6o7pagnK63m4QSueggvp881RVVHOF8oTSHOdnGxLfLeLNJFKE1FOutU3vod
GK/wG/Fwzkv9MebdXpMlLV8nnJuAt66XGl/lU1JrNfrKO4SoYQi4TsB/waUQcygh7OR/PEO0
EttiU8kZUbZNv58WH+PAj/rdZCrgUSiGXiWUQQKShqKnJxLuAcTcg5YRwL8se/V6ciW0QR9i
/sr52gSmLLbW5N3hAoO+nv1V/9SjJAUvzXu43k8sua/XlCXkqU7uLj41CRR72JeUZ4DQsYfP
LfNPC98ZGTVxbWbFtLXxpzzDDT8i3uo7w1LJ2Ij/d5ezcARqw01HGljWWxnidUrjbTpxkJ9X
EllcsH94mer728j/HKzC9OcTuz6WUBP3Crgl6Q47gY5ZIiF0lsmd9/wxbaq5NiJ+lGuBRZrD
v0dQx9KmyI0/pH2AF8cW897/6ypvcyD/1/11CJcN+uAGIrklwJlVpRSbKbFtGC6In592lhu7
wnK8cgyP5cTU+vva9+g6P1wehi4bylXdlKc6mMphbtSA+T3WBNP557+mh3L62l4pGaEGidcZ
DLYT2Ud18eAJmxU3HnM8P3iZZgeoK7oqgb53/eg96vkONXNIOwARAQABtCVGZXJuYW5kbyBH
b250IDxmZ29udEBzaTZuZXR3b3Jrcy5jb20+iQJBBBMBAgArAhsjBQkSzAMABgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAUCTmylpQIZAQAKCRCuJQ1VHU50kv7wD/9fuNtTfxSLk3B3Hs3p
ixTy8YXVjdkVwWlnJjFd7BOWmg7sI+LDhpjGfT6+ddOiwkumnvUZpObodj4ysH0i8c7P4C5t
F9yu7WjklSlrB5Rth2CGChg5bKt541z2WHkFFxys9qBLmCSYDeKQkzLqhCjIUJizY2kOJ2GI
MnSFDzJjhSFEh//oW830Y8fel1xnf/NVF+lBVtRMtMOfoWUqDjvP3sJ1G4zgkDCnF0CfncLx
+hq2Mv26Uq9OTzvLH9aSQQ/f067BOkKAJKsfHdborX4E96ISTz57/4xECRSMr5dVsKVm4Y//
uVIsb+L5z+a32FaiBZIAKDgnJO7Z8j6CV5e5yfuBTtX52Yi9HjYYqnYJGSDxYd6igD4bWu+7
xmJPHjkdqZgGV6dQIgiUfqkU+s5Cv350vK48CMaT/ZLo2BdsMhWsmaHmb+waePUMyq6E4E9x
9Js+EJb9ZiCfxS9exgieZQpet1L36IvhiwByvkQM009ywfa30JeMOltUtfLi5V06WQWsTzPL
5C+4cpkguSuAJVDTctjCA0moIeVDOpJ8WH9voQ4IeWapQnX35OIoj1jGJqqYdx65gc1ygbyx
b8vw+pJ9E5GLse5TQnYifOWpXzX9053dtbwp/2OVhU4KLlzfCPCEsoTyfu9nIZxdI2PMwiL5
M85BfjX4NmwBLmPGoLkCDQRObKNoARAAqqXCkr250BchRDmi+05F5UQFgylUh10XTAJxBeaQ
UNtdxZiZRm6jgomSrqeYtricM9t9K0qb4X2ZXmAMW8o8AYW3RrQHTjcBwMnAKzUIEXXWaLfG
cid/ygmvWzIHgMDQKP+MUq1AGQrnvt/MRLvZLyczAV1RTXS58qNaxtaSpc3K/yrDozh/a4pu
WcUsVvIkzyx43sqcwamDSBb6U8JFoZizuLXiARLLASgyHrrCedNIZdWSx0z0iHEpZIelA2ih
AGLiSMtmtikVEyrJICgO81DkKNCbBbPg+7fi23V6M24+3syHk3IdQibTtBMxinIPyLFF0byJ
aGm0fmjefhnmVJyCIl/FDkCHprVhTme57G2/WdoGnUvnT7mcwDRb8XY5nNRkOJsqqLPemKjz
kx8mXdQbunXtX9bKyVgd1gIl+LLsxbdzRCch773UBVoortPdK3kMyLtZ4uMeDX3comjx+6VL
bztUdJ1Zc9/njwVG8fgmQ+0Kj5+bzQfUY+MmX0HTXIx3B4R1I1a8QoOwi1N+iZNdewV5Zfq+
29NlQLnVPjCRCKbaz9k6RJ2oIti55YUI6zSsL3lmlOXsRbXN5bRswFczkNSCJxJMlDiyAUIC
WOay7ymzvgzPa+BY/mYn94vRaurDQ4/ljOfj6oqgfjts+dJev4Jj89vp8MQI3KJpZPEAEQEA
AYkCJQQYAQIADwUCTmyjaAIbDAUJEswDAAAKCRCuJQ1VHU50km4xEACho45PZrUjY4Zl2opR
DFNo5a6roTOPpgwO9PcBb3I5F8yX2Dnew+9OhgWXbBhAFq4DCx+9Gjs43Bn60qbZTDbLGJ/m
8N4PwEiq0e5MKceYcbetEdEUWhm5L6psU9ZZ82GR3UGxPXYe+oifEoJjOXQ39avf9S8p3yKP
Diil0E79rn7LbJjMcgMLyjFg9SDoJ6pHLtniJoDhEAaSSgeV7Y745+gyMIdtQmrFHfqrFdjq
D6G0HE+Z68ywc5KN67YxhvhBmSycs1ZSKAXv1zLDlXdmjHDHkU3xMcB+RkuiTba8yRFYwb/n
j62CC4NhFTuIKOc4ta3dJsyXTGh/hO9UjWUnmAGfd0fnzTBZF8Qlnw/8ftx5lt4/O+eqY1EN
RITScnPzXE/wMOlTtdkddQ+QN6xt6jyR2XtAIi7aAFHypIqA3lLI9hF9x+lj4UQ2yA9LqpoX
6URpPOd13JhAyDe47cwsP1u9Y+OBvQTVLSvw7Liu2b4KjqL4lx++VdBi7dXsjJ6kjIRjI6Lb
WVpxe8LumMCuVDepTafBZ49gr7Fgc4F9ZSCo6ChgQNLn6WDzIkqFX+42KuHz90AHWhuW+KZR
1aJylERWeTcMCGUSBptd48KniWmD6kPKpzwoMkJtEXTuO2lVuborxzwuqOTNuYg9lWDl7zKt
wPI9brGzquUHy4qRrA==
Message-ID: <f3607e4f-c805-3cb5-110b-f09cb8748577@si6networks.com>
Date: Fri, 19 Apr 2019 01:39:56 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBPr2rfVkib684Gz4uCPWtFc4trwusJxNRJ6EPPpA=d0QA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/bKEmjDULpogYAcjeNuwl5mevibI>
Subject: Re: [Secdispatch] Numeric IDs: Update to RFC3552
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>,
<mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>,
<mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 23:40:22 -0000
On 19/4/19 01:09, Eric Rescorla wrote: > > > On Thu, Apr 18, 2019 at 3:03 PM Fernando Gont <fgont@si6networks.com > <mailto:fgont@si6networks.com>> wrote: > > On 18/4/19 15:45, Eric Rescorla wrote: > > > > > > On Tue, Apr 16, 2019 at 2:07 AM Fernando Gont > <fgont@si6networks.com <mailto:fgont@si6networks.com> > > <mailto:fgont@si6networks.com <mailto:fgont@si6networks.com>>> wrote: > > > > Folks, > > > > At the last secdispatch meeting I presented our I-D > > draft-gont-predictable-numeric-ids. > > > > >From the meeting discussion, it would seem to me that there > is support > > for this work. > > > > It would also seem to me that part of this work is to be > pursued in an > > appropriate IRTF rg, while the update to RFC3552 > > (draft-gont-numeric-ids-sec-considerations) should be pursued > as an > > AD-sponsored document. > > > > > > I'm somewhat skeptical on an update to 3552; the proposed set of > things > > to be improved seems unclear. > > Can you please state what's unclear? > > > I understand the list of things in your document. However, there have > been proposals for a larger revision to 3552. There was an effort to revise RFC3552. It just didn't happen. Looks like trying to boil the ocean wasn't the best idea. > > I don't think that the material in this document should be added to > > 3552, as the purpose of 3552 is not really to go into that kind of > > detail about any specific topic. > > What I would expect is that RFC3552 helps prevent us from coming up with > vulnerable implementations. > > > This is not the purpose of 3552. Rather, it is to document what is > required in a security considerations section in general (the threat > model, an overview of common issues, etc.) rather than to go into > detail about a specific kind of attack. Otherwise, the amount of detail > would become impractical. Indeed, just covering the space of attacks on > cryptographic protocols would be impractical. One might imagine that if > there were a revision it would contain a paragraph or three on this > topic, but nowhere near the 30-odd pages of material that is in this > document, and I don't think it's independently a reason to do a 3552 > revision. You seem to be looking at the wrong document. The document in question is this one: https://tools.ietf.org/html/draft-gont-numeric-ids-sec-considerations-03 It's a total of 9 pages. If you remove abstract, boilerplate, and references, you end up with ~4 pages. In fact, the update (and indispensable text) is that in Section 5, and boils down to: ---- cut here ---- 5. Security and Privacy Requirements for Identifiers Protocol specifications that specify transient numeric identifiers MUST: 1. Clearly specify the interoperability requirements for the aforementioned identifiers. 2. Provide a security and privacy analysis of the aforementioned identifiers. 3. Recommend an algorithm for generating the aforementioned identifiers that mitigates security and privacy issues, such as those discussed in [I-D.gont-predictable-numeric-ids]. ---- cut here ---- > That said, this document is *updating* RFC3552, rather than a revision > of RFC3552. Therefore, the content in this document wouldn't become part > of RFC3552, necessarily. > > > Well, the semantics of "Updates" would be somewhat confusing here. > Certainly I don't think that this document is something we need to > transitively incorporate into 3552, but I care a lot less about the > contents of this header than I do about whether 3552 should be updated > to include this material. I do think RFC3552 should be updated as indicated (this stuff is general enough to be covered there). That said, the high-order bit here is to do something to prevent the bad history we have wrt numeric ids from repeating itself. If the whole point is that you'd like the "Updates: 3552 (if approved)" header to be removed (along with references to "updating RFC3552"), please say so. What we care about is to produce a change in what specifications do with respect to numeric ids, rather than that what specific document we are updating. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [Secdispatch] Numeric IDs: Update to RFC3552 Fernando Gont
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Eric Rescorla
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Fernando Gont
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Eric Rescorla
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Fernando Gont
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Eric Rescorla
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Fernando Gont
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Benjamin Kaduk
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Hannes Tschofenig
- Re: [Secdispatch] Numeric IDs: Update to RFC3552 Fernando Gont
- Re: [Secdispatch] [Pearg] Numeric IDs: Update to … Fernando Gont
- Re: [Secdispatch] [Pearg] Numeric IDs: Update to … Eric Rescorla
- Re: [Secdispatch] [Pearg] Numeric IDs: Update to … Fernando Gont